Lucene search
K

16600 matches found

NVD
NVD
added 2023/07/21 9:15 p.m.19 views

CVE-2023-37918

Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. A vulnerability has been found in Dapr that allows bypassing API token authentication, which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HT...

7.5CVSS6.8AI score0.01129EPSS
Exploits1References3
Qualys Blog
Qualys Blog
added 2023/07/21 5:0 p.m.81 views

Add Unique Asset Context with Custom Attributes in CSAM

There is no such thing as “too much context” when it comes to asset management. Continuous discovery and comprehensive, normalized asset data create the foundation for streamlined risk detection and response. The more reliable asset data a security team has, the better it can operationalize an...

7AI score
Exploits0
RedhatCVE
RedhatCVE
added 2023/07/21 11:30 a.m.43 views

CVE-2023-37276

A flaw was found in aio-libs aiohttp, where it is vulnerable to HTTP request smuggling, caused by a flaw in the aiohttp.web.Application. By sending a specially crafted HTTPS request, an attacker can poison the web cache, bypass web application firewall protection, and conduct Cross-site scripting...

7.5CVSS6.3AI score0.01422EPSS
Exploits1References4
Veracode
Veracode
added 2023/07/21 8:44 a.m.31 views

HTTP Request Smuggling

aiohttp is vulnerable to HTTP Request Smuggling. The vulnerability occurs due to the use of vulnerable llhttp component. When a specially constructed HTTP request is submitted, it leads to HTTP request smuggling because the server interprets one of the HTTP header values incorrectly. Only aiohttp...

7.5CVSS6.9AI score0.01422EPSS
Exploits1References6Affected Software1
Veracode
Veracode
added 2023/07/21 8:38 a.m.19 views

OS Command Injection

github.com/1panel-dev/1panel is vulnerable to OS Command Injection. The vulnerability exists in the 1Panel firewall functionality which allows an attacker to inject and execute arbitrary commands using a specially-crafted authenticated HTTP request...

8.8CVSS7.4AI score0.05354EPSS
Exploits1References4Affected Software1
Hacker One
Hacker One
added 2023/07/21 1:25 a.m.35 views

inDrive: Bypassing Garbage Collection with Uppercase Endpoint

A vulnerability was discovered in the garbage collection process, allowing the bypass of the "/metrics" endpoint by using uppercase letters. This could potentially lead to unauthorized access to sensitive information or resources and possible data manipulation. Other endpoints with similar patter...

6.7AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2023/07/21 12:0 a.m.28 views

Fedora 38 : nodejs16 (2023-608a1417d3)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-608a1417d3 advisory. 2023-06-20, Version 16.20.1 'Gallium' LTS, @RafaelGSS This is a security release. Notable Changes The following CVEs are fixed in this release:...

7.5CVSS6.8AI score0.03906EPSS
Exploits1References6
Tenable Nessus
Tenable Nessus
added 2023/07/21 12:0 a.m.31 views

Fedora 37 : nodejs16 (2023-61e40652be)

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-61e40652be advisory. 2023-06-20, Version 16.20.1 'Gallium' LTS, @RafaelGSS This is a security release. Notable Changes The following CVEs are fixed in this release:...

7.5CVSS6.8AI score0.03906EPSS
Exploits1References6
PyPA
PyPA
added 2023/07/20 2:52 p.m.4 views

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impactaiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel.This vulnerability only affects users of aiohttp as an HT...

7.5CVSS7.2AI score0.03906EPSS
Exploits2References4Affected Software1
Github Security Blog
Github Security Blog
added 2023/07/20 2:52 p.m.67 views

aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...

7.5CVSS6.8AI score0.03906EPSS
Exploits2References9Affected Software1
OSV
OSV
added 2023/07/20 2:52 p.m.1 views

GHSA-45C4-8WX5-QW6W aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...

6.9CVSS6.7AI score0.01422EPSS
Exploits1References8
OSV
OSV
added 2023/07/20 2:52 p.m.1 views

PYSEC-2023-120 aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

Impact aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6 which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an...

7.5CVSS6.7AI score0.01422EPSS
Exploits1References4
Packet Storm
Packet Storm
added 2023/07/20 12:0 a.m.257 views

phpFM 1.7.9 Authentication Bypass / Shell Upload

Exploit Title: phpfm v1.7.9 - Authentication type juggling Date: 2023-07-10 Exploit Author: thoughtfault Vendor Homepage: https://www.dulldusk.com/phpfm/ Software Link: https://github.com/dulldusk/phpfm/ Version: 1.6.1-1.7.9 Tested on: Ubuntu 22.04 CVE : N/A """ An authentication bypass exists in...

7.1AI score
Exploits0
Tenable Nessus
Tenable Nessus
added 2023/07/20 12:0 a.m.37 views

Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-237)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-237 advisory. The use of proto in process.mainModule.proto.require can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the...

7.5CVSS6.7AI score0.03906EPSS
Exploits1References10
Tenable Nessus
Tenable Nessus
added 2023/07/20 12:0 a.m.150 views

Zimbra Collaboration Server 9.0.0 < 9.0.0 Patch 33 Multiple Vulnerabilities

According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including: - Vulnerability in the sfdcpreauth.jsp component. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code. CVE-2023-29382 - HTTP reques...

9.8CVSS7.6AI score0.8377EPSS
Exploits11References9
Tenable Nessus
Tenable Nessus
added 2023/07/20 12:0 a.m.120 views

Zimbra Collaboration Server 8.8.x < 8.8.15 Patch 40 Multiple Vulnerabilities

According to its self-reported version number, Zimbra Collaboration Server is affected by multiple vulnerabilities including: - Vulnerability in the sfdcpreauth.jsp component. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code. CVE-2023-29382 - HTTP reques...

9.8CVSS7.9AI score0.8377EPSS
Exploits11References10
NVD
NVD
added 2023/07/19 8:15 p.m.24 views

CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

7.5CVSS6.3AI score0.01422EPSS
Exploits1References4
OSV
OSV
added 2023/07/19 8:15 p.m.1 views

DEBIAN-CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

7.5CVSS6.2AI score0.01422EPSS
Exploits1References1
Prion
Prion
added 2023/07/19 8:15 p.m.35 views

Design/Logic Flaw

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

5CVSS7.5AI score0.01422EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2023/07/19 8:15 p.m.0 views

UBUNTU-CVE-2023-37276

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only...

7.5CVSS6.5AI score0.01422EPSS
Exploits1References6
Rows per page
Query Builder